4b5209ab46fa0523d376f0a0ba3dd24a91c76eff3fc2d72f2371186a3b24abe2

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03/07/2024, 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sunnyeitatet.bat
Size

999B
MD5

cb9764285d399fce12332ed84fde94ef
SHA1

6a6232ab2215c03b824740e6862b94877e71f5fc
SHA256

4b5209ab46fa0523d376f0a0ba3dd24a91c76eff3fc2d72f2371186a3b24abe2
SHA512

dbca31dfd1364954b8af7575a3190e17309bd5c5767e9c7f0e4fae10dc0e1eae9a8de104642c990a59ac4b294ff5e53731fcebaa0324813ac91622e62691d9b9

Score

1^/10

Malware Config

Signatures

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1104	NETSTAT.EXE
5096	NETSTAT.EXE
4672	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
4116	tskill.exe
4116	tskill.exe
2472	tskill.exe
2472	tskill.exe
216	tskill.exe
216	tskill.exe
1284	tskill.exe
1284	tskill.exe
4316	tskill.exe
4316	tskill.exe
4364	tskill.exe
4364	tskill.exe
2568	tskill.exe
2568	tskill.exe
2260	tskill.exe
2260	tskill.exe
1860	tskill.exe
1860	tskill.exe
1880	tskill.exe
1880	tskill.exe
1972	tskill.exe
1972	tskill.exe
3212	tskill.exe
3212	tskill.exe
3164	tskill.exe
3164	tskill.exe
4620	tskill.exe
4620	tskill.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5096	NETSTAT.EXE
Token: SeDebugPrivilege	4672	NETSTAT.EXE
Token: SeDebugPrivilege	1104	NETSTAT.EXE

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1412 wrote to memory of 2472	1412	cmd.exe	89
PID 1412 wrote to memory of 2472	1412	cmd.exe	89
PID 1412 wrote to memory of 4116	1412	cmd.exe	91
PID 1412 wrote to memory of 4116	1412	cmd.exe	91
PID 1412 wrote to memory of 216	1412	cmd.exe	93
PID 1412 wrote to memory of 216	1412	cmd.exe	93
PID 1412 wrote to memory of 1284	1412	cmd.exe	95
PID 1412 wrote to memory of 1284	1412	cmd.exe	95
PID 1412 wrote to memory of 4316	1412	cmd.exe	96
PID 1412 wrote to memory of 4316	1412	cmd.exe	96
PID 1412 wrote to memory of 1860	1412	cmd.exe	97
PID 1412 wrote to memory of 1860	1412	cmd.exe	97
PID 1412 wrote to memory of 4364	1412	cmd.exe	99
PID 1412 wrote to memory of 4364	1412	cmd.exe	99
PID 1412 wrote to memory of 2568	1412	cmd.exe	102
PID 1412 wrote to memory of 2568	1412	cmd.exe	102
PID 1412 wrote to memory of 3212	1412	cmd.exe	103
PID 1412 wrote to memory of 3212	1412	cmd.exe	103
PID 1412 wrote to memory of 1972	1412	cmd.exe	104
PID 1412 wrote to memory of 1972	1412	cmd.exe	104
PID 1412 wrote to memory of 3164	1412	cmd.exe	106
PID 1412 wrote to memory of 3164	1412	cmd.exe	106
PID 1412 wrote to memory of 1880	1412	cmd.exe	107
PID 1412 wrote to memory of 1880	1412	cmd.exe	107
PID 1412 wrote to memory of 4620	1412	cmd.exe	109
PID 1412 wrote to memory of 4620	1412	cmd.exe	109
PID 1412 wrote to memory of 2260	1412	cmd.exe	110
PID 1412 wrote to memory of 2260	1412	cmd.exe	110
PID 1412 wrote to memory of 4080	1412	cmd.exe	127
PID 1412 wrote to memory of 4080	1412	cmd.exe	127
PID 1412 wrote to memory of 3180	1412	cmd.exe	128
PID 1412 wrote to memory of 3180	1412	cmd.exe	128
PID 1412 wrote to memory of 3768	1412	cmd.exe	129
PID 1412 wrote to memory of 3768	1412	cmd.exe	129
PID 1412 wrote to memory of 5096	1412	cmd.exe	130
PID 1412 wrote to memory of 5096	1412	cmd.exe	130
PID 1412 wrote to memory of 4672	1412	cmd.exe	131
PID 1412 wrote to memory of 4672	1412	cmd.exe	131
PID 1412 wrote to memory of 1104	1412	cmd.exe	132
PID 1412 wrote to memory of 1104	1412	cmd.exe	132
PID 1412 wrote to memory of 3224	1412	cmd.exe	133
PID 1412 wrote to memory of 3224	1412	cmd.exe	133

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sunnyeitatet.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1412
- C:\Windows\system32\tskill.exe
  tskill explorer
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2472
- C:\Windows\system32\tskill.exe
  tskill explorer
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4116
- C:\Windows\system32\tskill.exe
  tskill explorer
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:216
- C:\Windows\system32\tskill.exe
  tskill explorer
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1284
- C:\Windows\system32\tskill.exe
  tskill explorer
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4316
- C:\Windows\system32\tskill.exe
  tskill explorer
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1860
- C:\Windows\system32\tskill.exe
  tskill explorer
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4364
- C:\Windows\system32\tskill.exe
  tskill explorer
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2568
- C:\Windows\system32\tskill.exe
  tskill explorer
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3212
- C:\Windows\system32\tskill.exe
  tskill explorer
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1972
- C:\Windows\system32\tskill.exe
  tskill explorer
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3164
- C:\Windows\system32\tskill.exe
  tskill explorer
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1880
- C:\Windows\system32\tskill.exe
  tskill explorer
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4620
- C:\Windows\system32\tskill.exe
  tskill explorer
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2260
- C:\Windows\system32\tree.com
  Tree
  2⤵
  PID:4080
- C:\Windows\system32\tree.com
  Tree
  2⤵
  PID:3180
- C:\Windows\system32\tree.com
  Tree
  2⤵
  PID:3768
- C:\Windows\system32\NETSTAT.EXE
  Netstat -n
  2⤵
  - Gathers network information
  - Suspicious use of AdjustPrivilegeToken
  PID:5096
- C:\Windows\system32\NETSTAT.EXE
  Netstat -n
  2⤵
  - Gathers network information
  - Suspicious use of AdjustPrivilegeToken
  PID:4672
- C:\Windows\system32\NETSTAT.EXE
  Netstat -n
  2⤵
  - Gathers network information
  - Suspicious use of AdjustPrivilegeToken
  PID:1104
- C:\Windows\system32\driverquery.exe
  Driverquery
  2⤵
  PID:3224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4124,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=4156 /prefetch:8
1⤵
PID:1020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...